Refactor Docker Hub CI to use composite action and enable debian / al…

…pine flavors (#54) * Fix typo in debian Dockerfile * Rename existing Dockerfile to Dockerfile.debian * Add alpine Dockerfile * Refactor on-release to use composite action and flavors * Refactor workflow-dispatch to use composite action and flavors
ghga-de · Aug 12, 2024 · 92e9ab3 · 92e9ab3
1 parent a3a41ae
commit 92e9ab3
Show file tree

Hide file tree

Showing 4 changed files with 94 additions and 95 deletions.
diff --git a/.github/workflows/ci_workflow_dispatch.yaml b/.github/workflows/ci_workflow_dispatch.yaml
@@ -34,6 +34,7 @@ jobs:
     strategy:
       matrix:
         service: ${{ fromJson(needs.changed-services.outputs.services) }}
+        flavor: ["", "debian"]
       fail-fast: false
 
     steps:
@@ -73,41 +74,17 @@ jobs:
         id: symlink-requirements
         run: cp -r lock services/${{ matrix.service }}/lock
 
-      - name: Prepare Dockerfile
-        id: prepare-dockerfile
-        run: cp Dockerfile services/${{ matrix.service }}/ && sed -i "s/\(ENTRYPOINT \)\[\]/\1[\"${{ matrix.service }}\"]/" services/${{ matrix.service }}/Dockerfile
+      - name: Prepare Dockerfiles
+        id: prepare-dockerfiles
+        run: cp Dockerfile* services/${{ matrix.service }}/ && sed -i "s/\(ENTRYPOINT \)\[\]/\1[\"${{ matrix.service }}\"]/" services/${{ matrix.service }}/Dockerfile*
 
-      - uses: docker/setup-qemu-action@v3
-        name: Set up QEMU
-
-      - uses: docker/setup-buildx-action@v3
-        name: Set up Docker Buildx
-
-      - uses: docker/login-action@v3
-        name: Login to DockerHub
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - uses: docker/build-push-action@v5
-        name: Build and push
-        id: docker_build
+      - name: Docker build and push
+        uses: ghga-de/gh-action-ci@v1
         with:
-          push: true
-          platforms: "${{ env.DOCKERHUB_PLATFORMS }}"
-          tags: "${{ env.DOCKERHUB_NAMESPACE }}/${{ steps.extract-service-name.outputs.name }}:${{ steps.extract-service-version.outputs.version }}-${{ github.sha }}"
-          context: "services/${{ matrix.service }}"
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: "docker.io/${{ env.DOCKERHUB_NAMESPACE }}/${{ steps.extract-service-name.outputs.name }}:${{ steps.extract-service-version.outputs.version }}-${{ github.sha }}"
-          format: "table"
-          exit-code: "1"
-          ignore-unfixed: true
-          vuln-type: "os,library"
-          severity: ${{ env.TRIVY_SEVERITY }}
-
-      - name: Image digest
-        shell: bash
-        run: echo ${{ steps.docker_build.outputs.digest }}
+          checkout: "false"
+          dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }}
+          dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN }}
+          tag: "${{ env.DOCKERHUB_NAMESPACE }}/${{ steps.extract-service-name.outputs.name }}:${{ steps.extract-service-version.outputs.version }}-${{ github.sha }}"
+          trivy_severity: "CRITICAL"
+          flavor: "${{ matrix.flavor }}"
+          working_directory: "services/${{ matrix.service }}"
diff --git a/.github/workflows/docker_on_release.yaml b/.github/workflows/docker_on_release.yaml
@@ -127,6 +127,7 @@ jobs:
     strategy:
       matrix:
         service: ${{ fromJson(needs.changed-services.outputs.services) }}
+        flavor: ["", "debian"]
       fail-fast: false
 
     steps:
@@ -173,50 +174,21 @@ jobs:
             exit 1
           fi
 
-      - name: Ensure that tag complies with semantic versioning.
-        uses: matt-usurp/validate-semver@v2
-        with:
-          version: ${{ steps.extract-service-version.outputs.version }}
-
       - name: Symlink requirement files
         id: symlink-requirements
         run: cp -r lock services/${{ matrix.service }}/lock
 
-      - name: Prepare Dockerfile
-        id: prepare-dockerfile
-        run: cp Dockerfile services/${{ matrix.service }}/ && sed -i "s/\(ENTRYPOINT \)\[\]/\1[\"${{ matrix.service }}\"]/" services/${{ matrix.service }}/Dockerfile
-
-      - uses: docker/setup-qemu-action@v3
-        name: Set up QEMU
+      - name: Prepare Dockerfiles
+        id: prepare-dockerfiles
+        run: cp Dockerfile* services/${{ matrix.service }}/ && sed -i "s/\(ENTRYPOINT \)\[\]/\1[\"${{ matrix.service }}\"]/" services/${{ matrix.service }}/Dockerfile*
 
-      - uses: docker/setup-buildx-action@v3
-        name: Set up Docker Buildx
-
-      - uses: docker/login-action@v3
-        name: Login to DockerHub
+      - name: Docker build and push
+        uses: ghga-de/gh-action-ci@v1
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - uses: docker/build-push-action@v5
-        name: Build and push
-        id: docker_build
-        with:
-          push: true
-          platforms: "${{ env.DOCKERHUB_PLATFORMS }}"
-          tags: "${{ steps.docker-tag.outputs.tag }}"
-          context: "services/${{ matrix.service }}"
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: "docker.io/${{ steps.docker-tag.outputs.tag }}"
-          format: "table"
-          exit-code: "1"
-          ignore-unfixed: true
-          vuln-type: "os,library"
-          severity: ${{ env.TRIVY_SEVERITY }}
-
-      - name: Image digest
-        shell: bash
-        run: echo ${{ steps.docker_build.outputs.digest }}
+          checkout: "false"
+          dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }}
+          dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN }}
+          tag: "${{ steps.docker-tag.outputs.tag }}"
+          trivy_severity: "CRITICAL"
+          flavor: "${{ matrix.flavor }}"
+          working_directory: "services/${{ matrix.service }}"
diff --git a/Dockerfile b/Dockerfile
@@ -13,36 +13,38 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-## creating building container
-FROM python:3.12-slim-bookworm AS builder
-# update and install dependencies
-RUN apt update
-RUN apt upgrade -y
+# BASE: a base image with updated packages
+FROM python:3.12-alpine AS base
+RUN apk upgrade --no-cache --available
+
+# BUILDER: a container to build the service wheel
+FROM base AS builder
 RUN pip install build
-# copy code
 COPY . /service
 WORKDIR /service
-# build wheel
 RUN python -m build
 
-# creating running container
-FROM python:3.12-slim-bookworm
-# update and install dependencies
-RUN apt update
-RUN apt upgrade -y
-# copy and install requirements and wheel
+# DEP-BUILDER: a container to (build and) install dependencies
+FROM base AS dep-builder
+RUN apk update
+RUN apk add build-base gcc g++ libffi-dev zlib-dev
+RUN apk upgrade --available
 WORKDIR /service
 COPY --from=builder /service/lock/requirements.txt /service
 RUN pip install --no-deps -r requirements.txt
-RUN rm requirements.txt
+
+# RUNNER: a container to run the service
+FROM base AS runner
+WORKDIR /service
+RUN rm -rf /usr/local/lib/python3.12
+COPY --from=dep-builder /usr/local/lib/python3.12 /usr/local/lib/python3.12
 COPY --from=builder /service/dist/ /service
 RUN pip install --no-deps *.whl
 RUN rm *.whl
-# create new user and execute as that user
-RUN useradd --create-home appuser
+RUN adduser -D appuser
 WORKDIR /home/appuser
 USER appuser
-# set environment
-ENV PYTHONUNBUFFERED=1s
+ENV PYTHONUNBUFFERED=1
 
+# Please adapt to package name:
 ENTRYPOINT []
diff --git a/Dockerfile.debian b/Dockerfile.debian
@@ -0,0 +1,48 @@
+# Copyright 2021 - 2024 Universität Tübingen, DKFZ, EMBL, and Universität zu Köln
+# for the German Human Genome-Phenome Archive (GHGA)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## creating building container
+FROM python:3.12-slim-bookworm AS builder
+# update and install dependencies
+RUN apt update
+RUN apt upgrade -y
+RUN pip install build
+# copy code
+COPY . /service
+WORKDIR /service
+# build wheel
+RUN python -m build
+
+# creating running container
+FROM python:3.12-slim-bookworm
+# update and install dependencies
+RUN apt update
+RUN apt upgrade -y
+# copy and install requirements and wheel
+WORKDIR /service
+COPY --from=builder /service/lock/requirements.txt /service
+RUN pip install --no-deps -r requirements.txt
+RUN rm requirements.txt
+COPY --from=builder /service/dist/ /service
+RUN pip install --no-deps *.whl
+RUN rm *.whl
+# create new user and execute as that user
+RUN useradd --create-home appuser
+WORKDIR /home/appuser
+USER appuser
+# set environment
+ENV PYTHONUNBUFFERED=1
+
+ENTRYPOINT []